Enable HTTP Over SSL: New documentation

Hi,
Fyi, a new article has been published in the CQ5.5 documentation:
Enabling HTTP Over SSL
hope that helps
scott

Enable ssl for HTTP
In the administration guide, you shoud find this
you have to modify ssl.conf to enable ssl, as well in th eopmn.xml there is an option for enable ssl. but more accurant check the guide.
http://download.oracle.com/docs/cd/B14099_19/core.1012/b13995/sslmid.htm#CHDDGBGF

Similar Messages

HTTPS over SSL

Hi!
I1ve been experimenting with SSL and weblogic. I run the following code to
retrieve an HTML page.
public static void main(String[] args) throws Exception {
java.security.Security.addProvider(new
com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.ww
w.protocol");
System.setProperty("javax.net.ssl.trustStore","C:\\Documents and
Settings\\tdevos\\.keystore");
URL ssl = new URL(args[0]);
BufferedReader in = new BufferedReader(
new InputStreamReader(
ssl.openStream()));
String inputLine;
while ((inputLine = in.readLine()) != null)
System.out.println(inputLine);
in.close();
Everything goes fine over a non HTTPS connection. E.g. when I type in
java myApp http://localhost:7001
everything goes fine. However when I run
java myApp https://localhost:7002
I get the following error:
Exception in thread "main" java.io.IOException: HTTPS hostname wrong:
should be <localhost>, but cert says <weblogic.bea.com>
at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120
198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120
198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120
198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([Dash
oPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStrea
m([DashoPro-V1.2-120198])
at java.net.URL.openStream(URL.java:798)
I imported the weblogic key in the correct way (I think ...)
keytool -import -trustcacerts -keystore "C:\Documents and
Settings\tdevos\.keystore" -file democert.pem
I understand that he expects weblogic.bea.com instead of localhost but what
I don`t understand is that the example works when I rewrite my code to the
following:
System.setProperty("javax.net.ssl.trustStore", "C:\\Documents and
Settings\\tdevos\\.keystore");
SSLSocketFactory factory =
(SSLSocketFactory)SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket)factory.createSocket("localhost", 7002);
socket.startHandshake();
PrintWriter out = new PrintWriter(
new BufferedWriter(
new OutputStreamWriter(
socket.getOutputStream())));
out.println("GET http://localhost/ HTTP/1.1");
out.println();
out.flush();
if (out.checkError())
System.out.println("SSLSocketClient: java.io.PrintWriter error");
/* read response */
BufferedReader in = new BufferedReader(
new InputStreamReader(
socket.getInputStream()));
String inputLine;
while ((inputLine = in.readLine()) != null)
System.out.println(inputLine);
in.close();
out.close();
socket.close();
This is also NOT the way I want to write my code because I`m planning to do
SOAP calls over the SSL.so I can`t simply use the GET method.
In my opinion I should tell weblogic to use another private key than the one
in the delivered. But how can I make a private key on my own?
Is there a way to export a private key with the standard java keytool and
how can I tell weblogic to use it? If can get rid of the error
Exception in thread "main" java.io.IOException: HTTPS hostname wrong:
should be <localhost>, but cert says <weblogic.bea.com>
then everything is fine!
Thanks in advance for replying
Tim De Vos

You can try to abuse the attached code to get your stuff work. Note do not try HTTPS
POST with Weblogic 6 now. The key point here is the DummyHostnameVerifier. You should
not use such method in your production code.
import java.io.*;
import java.net.*;
import com.sun.net.ssl.*;
import javax.net.ssl.*;
import java.security.*;
public class TestHttpsURL{
     public static void main(String[] args){
SSLContext ctx;
//KeyManagerFactory kmf;
KeyStore ks;
try{
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");
          //ctx = SSLContext.getInstance ("SSL");
          KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509", "SunJSSE");
          TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
ctx = SSLContext.getInstance ("SSL");
     ctx.init (kmf.getKeyManagers(), X509TrustManagerImpl.getTrustManagers("SunX509",null),
null);
     SSLSocketFactory factory = ctx.getSocketFactory();
     String msg = "USERID=user&PASSWORD=password";
HttpsURLConnection conn = (HttpsURLConnection)(new URL("https://localhost:7002/PostTest.jsp")).openConnection();
//URLConnection conn = (new URL("http://localhost:7001/PostTest.jsp")).openConnection();
conn.setDefaultSSLSocketFactory(factory);
conn.setSSLSocketFactory(factory);
conn.setHostnameVerifier(new DummyHostnameVerifier());
conn.setDoOutput(true);
conn.setDoOutput(true);
conn.setRequestProperty("Content-Length", String.valueOf(msg.length()));
conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
conn.setRequestProperty("Accept", "image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/msword, application/vnd.ms-powerpoint, application/vnd.ms-excel,
conn.setRequestProperty("Accept-Language", "en-us");
conn.setRequestProperty("User-Agent","Mozilla/4.0 (compatible; MSIE
5.01; Windows NT 5.0)");
conn.setRequestProperty("Host", "localhost:7002");
OutputStream out = conn.getOutputStream();
out.write(msg.getBytes());
out.flush();
byte[] resp = new byte[1024];
int len;
BufferedInputStream in = new BufferedInputStream(conn.getInputStream());
while((len = in.read(resp))>0){
System.out.print((new String(resp,0,len, "8859_1")));
}catch(Exception ex){
ex.printStackTrace();
class DummyHostnameVerifier implements HostnameVerifier{
public boolean verify(String urlHostname, String certHostname){
return true;
"Tim De Vos" <[email protected]> wrote:
Hi!
I1ve been experimenting with SSL and weblogic. I run the following code
to
retrieve an HTML page.
public static void main(String[] args) throws Exception {
java.security.Security.addProvider(new
com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.ww
w.protocol");
System.setProperty("javax.net.ssl.trustStore","C:\\Documents and
Settings\\tdevos\\.keystore");
URL ssl = new URL(args[0]);
BufferedReader in = new BufferedReader(
new InputStreamReader(
ssl.openStream()));
String inputLine;
while ((inputLine = in.readLine()) != null)
System.out.println(inputLine);
in.close();
Everything goes fine over a non HTTPS connection. E.g. when I type in
java myApp http://localhost:7001
everything goes fine. However when I run
java myApp https://localhost:7002
I get the following error:
Exception in thread "main" java.io.IOException: HTTPS hostname wrong:
should be <localhost>, but cert says <weblogic.bea.com>
at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120
198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120
198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120
198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([Dash
oPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStrea
m([DashoPro-V1.2-120198])
at java.net.URL.openStream(URL.java:798)
I imported the weblogic key in the correct way (I think ...)
keytool -import -trustcacerts -keystore "C:\Documents and
Settings\tdevos\.keystore" -file democert.pem
I understand that he expects weblogic.bea.com instead of localhost but what
I don`t understand is that the example works when I rewrite my code to the
following:
System.setProperty("javax.net.ssl.trustStore", "C:\\Documents and
Settings\\tdevos\\.keystore");
SSLSocketFactory factory =
(SSLSocketFactory)SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket)factory.createSocket("localhost", 7002);
socket.startHandshake();
PrintWriter out = new PrintWriter(
new BufferedWriter(
new OutputStreamWriter(
socket.getOutputStream())));
out.println("GET http://localhost/ HTTP/1.1");
out.println();
out.flush();
if (out.checkError())
System.out.println("SSLSocketClient: java.io.PrintWriter error");
/* read response */
BufferedReader in = new BufferedReader(
new InputStreamReader(
socket.getInputStream()));
String inputLine;
while ((inputLine = in.readLine()) != null)
System.out.println(inputLine);
in.close();
out.close();
socket.close();
This is also NOT the way I want to write my code because I`m planning to
do
SOAP calls over the SSL.so I can`t simply use the GET method.
In my opinion I should tell weblogic to use another private key than the
one
in the delivered. But how can I make a private key on my own?
Is there a way to export a private key with the standard java keytool and
how can I tell weblogic to use it? If can get rid of the error
Exception in thread "main" java.io.IOException: HTTPS hostname wrong:
should be <localhost>, but cert says <weblogic.bea.com>
then everything is fine!
Thanks in advance for replying
Tim De Vos

How to enable https or SSL for login page only?

Hi,
My application is runnnin in iPlanet web server 4.1 version.
how to make my login page only secured (SSL)?
previously we have done https enable for the whole application. but client specifically wants for login page only, not for the whole application. how can i make SSL for login page only in iPlanet 4.1.
I searched through iPlanet console, but i didn't get any option such.
i found one more thing console,i.e., "encrypt on or off". if i put encrypt "on" means, it will be for the whole application? How can i make it for login page only.
Do i need to do any code changes for that?
i tried through web.xml security constraints tags, but it is not working and taking that file as we are doing everything in servlet.properties and rules.properties files.
can anybody help me in this regard?
Regards,
Chandu

You specify SSL in web.xml of your application. So, in that case other web applications in same server would not be affected.
<security-constraint>
<web-resource-collection>
<web-resource-name>myresources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>Following link will help you to setup SSL in tomcat:
[http://techtracer.com/2007/09/12/setting-up-ssl-on-tomcat-in-3-easy-steps/|http://techtracer.com/2007/09/12/setting-up-ssl-on-tomcat-in-3-easy-steps/]
Thanks,
Mrityunjoy

SOAP over SSL

Hi
I have certificate ForKaraganda.pfx.
I need to connect to web service .NET-SOAP application using client-certificate authentication uses HTTP over SSL and execute remote function.
String file = "c:\\tmp\\ForKaraganda.pfx";
String pass = "123456";
System.setProperty("javax.net.ssl.keyStoreType","pkcs12");
System.setProperty("javax.net.ssl.keyStore", file);
System.setProperty("javax.net.ssl.keyStorePassword", pass);
url = new URL("https://something.kz");
SOAPConnectionFactory fac = SOAPConnectionFactory.newInstance();
con = fac.createConnection();
MessageFactory messageFactory = MessageFactory.newInstance();
SOAPMessage message = messageFactory.createMessage();
SOAPHeader header = message.getSOAPHeader();
SOAPBody body = message.getSOAPBody();
SOAPFactory soapFactory = SOAPFactory.newInstance();
javax.xml.soap.Name bodyName = soapFactory.createName("SelectUserByUIN","", "http://something2.kz/");
javax.xml.soap.Name name = soapFactory.createName("uin");
SOAPBodyElement bodyElement = body.addBodyElement(bodyName);
SOAPElement uin = bodyElement.addChildElement(name);
uin.addTextNode("234234234242");
SOAPMessage response = con.call(message, url);But happened error
WT-EventQueue-0, handling exception: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
AWT-EventQueue-0, SEND TLSv1 ALERT: fatal, description = internal_error
AWT-EventQueue-0, WRITE: TLSv1 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 01 00 02 02 50                               ......P
AWT-EventQueue-0, called closeSocket()
24.01.2008 14:39:56 com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection post
SEVERE: SAAJ0009: Message send failed
com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: java.security.PrivilegedActionException: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
Caused by: java.security.PrivilegedActionException: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
     at java.security.AccessController.doPrivileged(Native Method)
     at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.call(HttpSOAPConnection.java:140)
     ... 29 more
...How it fix?

Hi
I have certificate ForKaraganda.pfx.
I need to connect to web service .NET-SOAP application using client-certificate authentication uses HTTP over SSL and execute remote function.
String file = "c:\\tmp\\ForKaraganda.pfx";
String pass = "123456";
System.setProperty("javax.net.ssl.keyStoreType","pkcs12");
System.setProperty("javax.net.ssl.keyStore", file);
System.setProperty("javax.net.ssl.keyStorePassword", pass);
url = new URL("https://something.kz");
SOAPConnectionFactory fac = SOAPConnectionFactory.newInstance();
con = fac.createConnection();
MessageFactory messageFactory = MessageFactory.newInstance();
SOAPMessage message = messageFactory.createMessage();
SOAPHeader header = message.getSOAPHeader();
SOAPBody body = message.getSOAPBody();
SOAPFactory soapFactory = SOAPFactory.newInstance();
javax.xml.soap.Name bodyName = soapFactory.createName("SelectUserByUIN","", "http://something2.kz/");
javax.xml.soap.Name name = soapFactory.createName("uin");
SOAPBodyElement bodyElement = body.addBodyElement(bodyName);
SOAPElement uin = bodyElement.addChildElement(name);
uin.addTextNode("234234234242");
SOAPMessage response = con.call(message, url);But happened error
WT-EventQueue-0, handling exception: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
AWT-EventQueue-0, SEND TLSv1 ALERT: fatal, description = internal_error
AWT-EventQueue-0, WRITE: TLSv1 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 01 00 02 02 50                               ......P
AWT-EventQueue-0, called closeSocket()
24.01.2008 14:39:56 com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection post
SEVERE: SAAJ0009: Message send failed
com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: java.security.PrivilegedActionException: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
Caused by: java.security.PrivilegedActionException: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
     at java.security.AccessController.doPrivileged(Native Method)
     at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.call(HttpSOAPConnection.java:140)
     ... 29 more
...How it fix?

How to enable https in Oracle BPEL Process Manager 10.1.2

Hi,
I have a few security related questions surrounding BPEL process manager.
1. Does the BPEL engine have the capability to invoke a web service using https (HTTP over SSL)? Does it automatically do that if partner link URI starts with https:// ?
2. If not, what needs to be done to enable accessing a https based web service?
Thanks,
Vidya

Eric,
I had applied the steps specified in the URL and modified the files default-web-site.xml, secure-web-site.xml and server.xml in directory Ora_Home\j2ee\home\config. Able to invoke the application deployed in Ora_Home\j2ee\home\applications successfully using https.
For securing BPEL process I had followed the same steps by modifying files default-web-site.xml, secure-web-site.xml and server.xml in directory Ora_Home\j2ee\OC4J_BPEL\config. While invoking the BPEL Processes using https protocol I am facing error “HTTP 500 - Internal server error”, after the security alert popup.
Do I need to do any other configurations for securing BPEL processes deployed in Ora_Home\integration\orabpel\domains\default\deploy directory?
Please assist me on this.
Thanks,
Vidya

LDAP over SSL

A hosted service wants to authenticate against our AD. They recommend using LDAPS.
What is best practice? Install a public certificate on a DC.
For instance on DC1.contoso.com. Then would I open up 443 on the firewall to that DC and allow from that IP? How would that affect other local LAN clients authenticating to that DC?

A hosted service wants to authenticate against our AD. They recommend using LDAPS.
What is best practice? Install a public certificate on a DC.
For instance on DC1.contoso.com. Then would I open up 443 on the firewall to that DC and allow from that IP? How would that affect other local LAN clients authenticating to that DC?
If its hosted services & if its supports ADAM/AD LDS, then its much safe to use them instead of RWDC or RODC. Enabling LDAP over SSL enhances the security of the information how information is transmitted when client tries to contact DC for the information(authentication/authorization).
Normally w/o LDAPs being configured in the environment, when client queries a DC in the domain, the information is transmitted in the plain text which ca be read by the hacker using tools available for free. The reason is simple the information on transit
is not encrypted, but enabling LDAP over SSL prevent the unencrypted queries & provide more security.
You can't simple implement LDAP over SSP, but it needs PKI infrastructure, planning & designing which is comprehensively listed into the document URL posted by Justin. You can also use ldap over SSL using AD LDS.
http://blogs.technet.com/b/pki/archive/2011/06/02/implementing-ldaps-ldap-over-ssl.aspx
Awinish Vishwakarma - MVP
My Blog: awinish.wordpress.com
Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

BizTalk Tracking Profile Editor not tracking the data and how to implement the Orchestration as wcf service over SSL

Hi Ashwinprabhu,
thank you very much for your answer.
i have one more query, I have orchestration published as wcf service in IIS and internally orchestration calling one more service , it means orchestration sending a request and getting response back from the service.
actually we are implementing the copy of that called service through biztalk orchestration for system automatic and tracking failed messages and n/w failures.
But tracking profiler not tracking the Data.
And we need to develop the http service as https(Over SSL), we implemented in iis using self
signed certificate, it is working just browser for wsdl(in browser), we are not able to test the service in wcf test client, it is giving wsdl error, in wsdl schema reference showing with HTTP only,
please help me how to resolve the issue.
Teegala

First things first, I think it's best to publish only schemas as WCF service for dependency management reasons. That said - WSDL availability is covered in the WCF adapter under the behaviors. If you're using HTTPBasic this may be hard to modify, but using
WCFCustom allows you to add the WSDL behavior and specify that it should be available via HTTPS.
As to the BAM, are you using TPE within the orchestration or at the port level? I'd imagine your TPE tracks the start and end events of your orchestration using the Orchestration Schedule. If you're fairly confident that the TPE is correct and
yet don't see BAM data 1) make sure your SQL Agent is running healthy and all jobs look OK and 2) check the TDDS tables in both the message box and the BAMPrimaryImport databases. These will show you if there has been some sort of sync issue. There's
even a TDDS errors tables - so check that out.
Kind Regards,
-Dan
If this answers your question, please Mark as Answer

POP over SSL in Messaging 5.2

I'm running Messaging 5.2, build 2002.51.1611 (iPlanet Messaging Server 5.2 HotFix 2.08 (built Sep 22 2005)) and would like to see if I can enable POP over SSL on that host.
According to BugID, 4712887 pop over SSL works. When I follow the instructions in that document, I get the following errors:
./configutil -o service.pop.enablesslport -v 1
General Error: func=configmsg_setkeys; func=psetSetAttrList; error=Attribute does not exist
NO Unable to set option(service.pop.enablesslport)
./configutil -o service.pop.sslport -v 995
[18/Nov/2005:18:34:45 +0000] mocbox5 [16332]: General Error: func=configmsg_setkeys; func=psetSetAttrList; error=Attribute does not exist
NO Unable to set option(service.pop.sslport)
service.pop.sslusessl is set to "yes"
Is this wrong? Does POPS only run on Sun Java Enterprise Messaging (6.x)?
Thanks,
Don Holtzer

try using the -l with your configutil setting
configutil -o -l service.pop.enablesslport -v yes
etc.

Enabling SOAP over HTTPs on PI7.0

Hello
    We have a requirement to connect PI7.0 to PI7.1 with SOAP over HTTPS. Would you please let us know what all configuration need
       1. Setting required to be done on PI7.0 ( Communication Channels, Receiver and Sender agreements)
       2. Where to put private key and root certificate in Visual admin
       3. Port configuration for outbound and inbound traffic.
       4. Enabling of SSL on PI7.0.
       5. Any ICM related setting on PI7.0
Thanks & Regards

Hi Uttam,
Hi,
For using HTTPS protocol, you have to chose the option of HTTPS in the 'HTTP Security Level' parameter on SOAP sender communication channel.
For using HTTPS protocol, the SSL certificates need to be deployed on the server.
Below are the links for more information on SSL certificates:
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/
For choosing & installing steps of SSL, refer the below links:
/people/aniket.tare/blog/2005/03/22/ssl-certificate-installation-procedure-for-sap-j2ee-engine-630-150-steps-in-visual-administrator
http://info.ssl.com/article.aspx?id=10694
-Supriya.

Failed to use LDAP over SSL MUTUAL AUTHENTICATION with some Directory enable SSL.

In iPlanet Web Server, Enterprise Edition Administration's guide, chapter 5: secure your web server - Using SSL and TLS protocol specifying that the Administrator server camn communicate LDAP over SSL with some Directory enable SSL.
Is there any way to configure iplanet Administration server to talk ldap/ssl in mutual authentication mode with some directory?

Hi,
Sorry, I could not understand what your are trying to do with iWS.
Could you please berifly explain your question. So that I can help you.
Regards,
Dakshin.
Developer Technical Support
Sun Microsystems
http://www.sun.com/developers/support.

"Over 100 New Features List" ??

Ever since the release of IOS4, I have heard the term "over 100 new features" thrown around, yet I can not find an official list of these features. Does anybody know where an official list can be found with each feature number listed out? I feel like it is just a hype term they have used, but it isn't documented anywhere. Any help would be greatly appreciated!

^ that one is very good.
http://webtrickz.com/new-features-in-ios-4-iphone-os-4-software/
Multitasking support for third-party apps*
  – Multitasking user interface to quickly move between
   apps
  – Support for audio apps to play in the background
  – VoIP apps can receive and maintain calls in the
   background or when device is asleep
  – Apps can monitor location and take action while
   running in the background
  – Alerts and messages can be pushed to apps using
   push and local notifications
  – Apps can complete tasks in the background
Folders to better organize and access apps
Home screen Wallpaper*
Mail improvements
  – Unified inbox to view emails from all accounts in one
   place
  – Fast inbox switching to quickly switch between
   different email accounts
  – Threaded messages to view multiple emails from the
   same conversation
  – Attachments can be opened with compatible third-
   party apps
  – Search results can now be filed or deleted
  – Option to select size of photo attachments
  – Messages in the Outbox can be edited or deleted
Support for iBooks and iBookstore (available from the App Store)
Photo and Camera improvements
  – 5x digital zoom when taking a photo**
  – Tap to focus during video recording**
  – Ability to sync Faces from iPhoto
  – Geo-tagged photos appear on a map in Photos
Ability to create and edit playlists on device
Calendar invitations can be sent and accepted wirelessly with supported CalDAV servers
Support for MobileMe calendar sharing
Suggestions and recent searches appear during a web search
Searchable SMS/MMS messages**
Spotlight search can be continued on web and Wikipedia
Enhanced location privacy
  – New Location Services icon in the status bar
  – Indication of which apps have requested your location
   in the last 24 hours
  – Location Services can be toggled on or off for
   individual apps
Automatic spellcheck
Support for Bluetooth keyboards*
iPod out to navigate music, podcasts and audiobooks through an iPod interface with compatible cars
Support for iTunes gifting of apps
Wireless notes syncing with IMAP-based mail accounts
Persistent WiFi connection to receive push notifications*
New setting for turning on/off cellular data only**
Option to display the character count while composing new SMS/MMS**
Visual Voicemail messages can be kept locally even if they have been deleted from the server**
Control to lock portrait orientation*
Audio playback controls for iPod and third-party audio apps*
New languages, dictionaries and keyboards
Accessibility enhancements*
Bluetooth improvements
Better data protection using the device passcode as an encryption key* (Requires full restore.)
Support for third-party Mobile Device Management solutions
Enables wireless distribution of enterprise applications
Exchange Server 2010 compatibility
Support for multiple Exchange ActiveSync accounts
Support for Juniper Junos Pulse and Cisco AnyConnect SSL VPN apps (available from the App Store)
More than 1,500 new developer APIs
Bug fixes

How to set up iPhone 5 iOS 6 email with IMAP over SSL on a custom port?

Basically I have the same problem as this guy 5 years ago but the thread contained no useful answer. Maybe there are people out there who became smarter in the meantime? Please help me out how to get my iPhone read emails via IMAP over SSL on a custom port to the corporate server. The issue is that the iPhone only seems to work if you use the standard 993 port for IMAPS, not with a custom port as we have. I've installed the corporate root certificate in a profile, and it shows up as trusted and verified in the phone, so that should not be the issue. The mail app in the iPhone tries to connect, I can verify that from the server, but then does nothing, doesn't try to authenticate, doesn't log out, nothing is going on, and then drops the connection after 60 seconds. Repeats this every 5 minutes (as set to fetch e-mail every 5 minutes.)
Original thread 5 years ago: https://discussions.apple.com/message/8104869#8104869

Solved it by some (a lot) of fiddling.
Turns out it's not a bug in the iPhone, it's a feature.
Here's how to make it work.
DOVECOT
If the IMAPS port is anything other than 933 (the traditional IMAPS port) the iPhone's Mail App takes the "Use SSL" setting on the IMAP server as 'TLS', meaning it starts the communication in plain text and then issues (tries to issue) the STARTTLS command to switch the connection to encrypted. If, however, Dovecot is set up to start right away in encrypted mode, the two cannot talk to each other. For whatever reason neither the server nor the client realizes the connection is broken and only a timeout ends their misery.
More explanation about SSL/TLS in the Dovecot wiki: http://wiki2.dovecot.org/SSL
So to make this work, you have to set Dovecot the following way. (Fyi, I run Dovecot 2.0.19, versions 1.* have a somewhat different config parameters list.)
1. In the /etc/dovecot/conf.d/10-master.conf file make sure you specify the inet_listener imap and disable (set its port to 0) for imaps like this:
service imap-login {
inet_listener imap {
    port = --your port # here--
inet_listener imaps {
    port = 0
    ssl = yes
This of course enables unencrypted imap for all hackers of the universe so you quickly need to also do the things below.
2. In the /etc/dovecot/conf.d/10-ssl.conf file, make sure you set (uncomment) the following:
ssl = required
This sets Dovecot to only serve content to the client after a STARTTLS command was issued and the connection is already encrypted.
3. In /etc/dovecot/conf.d/10-auth.conf set
disable_plaintext_auth = yes
This prevents plain text password authentication before encryption (TLS) is turned on. If you have also set ssl=required as per step 2, that will prevent all other kinds of authentications too on an unencrypted connection.
When debugging this, please note that if you connect from localhost (the same machine the server runs on) disable_plaintext_auth=yes has no effect, as localhost is considered secure. You have to connect from a remote machine to make sure plain text authentication is disabled.
Don't forget service dovecot restart.
To test if your setup works as it's supposed to, issue the following (green) from a remote machine (not localhost) (I'm using Ubuntu, but telnet and openssl is available for almost all platforms) and make sure Dovecot responds with something like below (purple):
telnet your.host.name.here yourimapsportnumber
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready.
Most importantly, make sure you see 'STARTTLS' and 'LOGINDISABLED'. Then issue STARTTLS and hopefully you see something like this:
a STARTTLS
a OK Begin TLS negotiation now.
(The 'a' in front of STARTTLS is not a typo, a prefix is required by the IMAP server in front of all commands.)
Close the telnet (with 'a logout' or Ctrl+C) and you can use openssl to further investigate as you would otherwise; at the end of a lot of output including the certificate chain you should see a line similar to the one below:
openssl s_client -starttls imap -connect your.domain.name.here:yourimapsportnumber
. OK Pre-login capabilities listed, post-login capabilities have more.
You can then use the capability command to look for what authentication methods are available, if you see AUTH=PLAIN, you can then issue a login command (it's already under an encrypted connection), and if it's successful ("a OK Logged in"), then most likely your iPhone will be able to connect to Dovecot as well.
a capability
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN
a login username password
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS
a OK Logged in
POSTFIX
Likewise, you have to set Postfix to wait for STARTTLS before encrypting the communication.
1. You have to delete the setting smtpd_tls_wrappermode=yes from /etc/postfix/master.cf and/or /etc/postfix/main.cf, if it was enabled. This will mean Outlook won't be able to connect any more because it requires a TSL connection without issuing STARTTLS as per Postfix documentation (haven't tested.) In my case we don't use Outlook so I didn't care. Outlook + iPhone + custom SMTPS port are simply not possible together at the same time as far as I understand. Pick one to sacrifice.
2. Require encrypted (TLS) mode for any data transfer in /etc/postfix/main.cf:
smtpd_tls_security_level = encrypt
3. Authentication should only happen while already in encrypted (TLS) mode, so set in /etc/postfix/main.cf:
smtpd_tls_auth_only = yes
Don't forget postfix reload.
To test if this works, issue the following telnet and wait for the server's greeting:
telnet your.host.name.here yoursmtpsportnumber
220 your.host.name ESMTP Postfix (Ubuntu)
Then type in the EHLO and make sure the list of options contains STARTTLS and does not include an AUTH line (that would mean unencrypted authentication is available):
ehlo your.host.name.here
250-STARTTLS
Then issue starttls and wait for the server's confirmation:
starttls
220 2.0.0 Ready to start TLS
Once again, it's time to use openssl for further testing, detailed info here http://qmail.jms1.net/test-auth.shtml
CERTIFICATES
You also need to be aware that iOS is somewhat particular when it comes to certificates. First of all, you have to make sure to set the following extensions on your root certificate (probably in the [ v3_ca ] section in your /etc/ssl/openssl.cnf, depending on your openssl setup), especially the 'critical' keyword:
basicConstraints = critical,CA:true
keyUsage = critical, cRLSign, keyCertSign
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
And then on the certificate you sign for your mail server, set the following, probably in the [ usr_cert ] section of /etc/ssl/openssl.cnf:
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName = DNS:your.domain.name.here
issuerAltName=issuer:copy
Please note, the above are results of extensive google-ing and trial and error, so maybe you can omit some of the stuff above and it still works. When it started working for me, I stopped experimenting because figuring this all out already took way too much time. The iPhone is horribly undocumented when it comes to details of its peculiar behaviors. If you experiment more and have more accurate information, please feel free to post here as a reply to this message.
You have to import your root certificate into your iPhone embedded in a profile via the iPhone Configuration Utility (free, but only available in Windows or a Mac; details here: http://nat.guyton.net/2012/01/20/adding-trusted-root-certificate-authorities-to- ios-ipad-iphone/ ), after having first added it to Windows' certificate store as a trusted root certificate. This way the Utility will sign your certificate for the phone and it becomes usable; if you just add it from the phone it will be there but won't be used. Using a profile has the added benefit of being able to configure mail settings in it too, and that saves a lot of time when you have to install, remove, reconfigure, install again, etc. a million times until it works.
Another undocumented constraint is that the key size is limited to a max of 4096. You can actually install a root certificate with a larger key, the iPhone Configuration Utility will do that for you without a word. The only suspicious thing is that on the confirmation screen shown on your iPhone when you install the profile you don't get the text "Root Certificate/ Installing the certificate will add it to the list of trusted certificates on your iPhone" in addition to your own custom prompt set up in the iPhone Configuration Utility. The missing additional text is your sign of trouble! - but how would know that before you saw it working once? In any case, if you force the big key certificate on the device, then when you open the Mail App, it opens up and then crashes immediately. Again, without a word. Supposedly Apple implemented this limit on the request of the US Government, read more here if you're interested: http://blogs.microsoft.co.il/blogs/kamtec1/archive/2012/10/13/limitation-of-appl e-devices-iphone-ipad-etc-on-rsa-key-size-bit.aspx .
IN CLOSING...
With all this, you can read and send email from your iPhone.
Don't forget to set all your other clients (Thunderbird, Claws, etc.) to also use STARTTLS instead of SSL, otherwise they won't be able to connect after the changes above.

WebDAV not working over SSL on CSS11503

SOME HISTORY
As you may recall we had an issue with interoperability between our WebCT Vista application and the Cisco CSS11503 Load Balancer. In a nutshell the Load Balancer would inject custom HTTP headers into HTTP packets, but only into the first HTTP packet of a TCP session. With your help we've learned that Cisco will change this in the August release of the CSS software.
OUR NEW PROBLEM
We are now having a related problem. In short, we cannot get WebDav to work over SSL. That is, when connect from Client to Load Balancer via SSL, and then Load Balancer to Web Server via plaintext, our application fails. Conversely, when we maintain a clear text connection straight through from Client to Web sever WebDav works.
After doing some network traces of WebDav connections both with and without SSL I think we've discovered the cause of the problem: the Load Balancer fails to add our custom HTTP header "WL-Proxy-SSL: true" to HTTP "PROPFIND" requests, even though it correctly adds them to the HTTP "OPTIONS" requests.
HOW WE CONFIGURED THE LOAD BALANCER
We configured our Load Balancer with the Global configuration of
http-method parse RFC2518-methods
and with the command
ssl-server 20 http-header static "WL-Proxy-SSL: true"
so that the header "WL-Proxy-SSL: true" will be passed with the HTTP headers used for WebDav was well as with the 'standard' HTTP headers "GET, POST, HEAD", etc.
Below is the relevant passage from the "CSS Command Reference" at
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_750/cmdrefgd/cmdgloba.htm#wp1432749
======================================================================
"By default, a Layer 5 content rule supports the HTTP CONNECT, GET, HEAD, POST, and PUT methods. Unless configured, the CSS recognizes and forwards the following HTTP methods directly to the destination server in a transparent caching environment, but does not load balance them:
OPTIONS, TRACE, PROPFIND, PROPPATCH, MKCOL, MOVE, LOCK, UNLOCK, COPY, and DELETE.
When you enable the CSS to support all RFC-2518 methods, the CSS parses the Request-URI field in an attempt to match a Layer 5 rule. If the contents of the Request-URI field are not in a compliant format of an absolute URI or an absolute path, the CSS tries to match the field to the next best wildcard ("/*") rule. If the match fails, the CSS attempts to match the Layer 4 rule, and then the Layer 3 rule."
========================================================================
I interpret this to mean that when we configure "http-method parse RFC2518-methods" that the load balancer will treat all the HTTP headers in the group "OPTIONS, TRACE, PROPFIND, ...", etc the same as the "standard" HTTP headers "GET, POST, HEAD", etc.
As I said earlier our network traces show that the "WL-Proxy-SSL: true"
header present in the HTTP header OPTIONS but *not* in the header "PROPFIND".
A BUG IN THE CSS COMMAND PROCESSOR?
By my reckoning, this behaviour must be a bug in the CSS Command processor, because whatever the CSS does for the "OPTIONS" header it should also do for the "PROFIND" header.
ATTACHMENTS
I've included three attachments.
trace.txt
- text output from Ethereal of the network trace
on the web server, with comments.
webdav.ssl.snoop
- the original network trace in Sun's 'snoop' format.
css.2.cfg
- the running configuration on the CSS11503
Thanks in advance for your help.

Hi
I finally discovered what is the issue here. In appears that in case of unsigned applets, the code is unable to access SunJCE provider which contains most of the ciphers used by SSL protocol. This means that a session with SSL server is broken and effectively applet is not initialised.
This problem is related to configuration of JRE under linux due to export control restrictions. Unfortunately I don't know how to make JRE to use SunJCE by default.
As a workaround I have set up the following policies using Policy Manager:
grant {
permission java.security.SecurityPermission "putProviderProperty.SunJCE";
grant {
permission java.lang.RuntimePermission "getProtectionDomain";
grant {
permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
I don't know how insecure my actions are, but this definitely fixed problems with applets under SSL / HTTPS.
Feel free to send me your ideas how to fix this issue in more elegant way.
Best,
Marcin

Connecting to a remote OpenLDAP server over SSL.

I've been trying for several weeks now to get a remote OpenLDAP server up and running; configured in such a way that it only allows SSL and requires certificate validation.
I've created a CA with a self-signed certificate.
I used that CA to create a server and client certificate.
The server certificate is in /etc/ssl/certs, has a link by the name of its hash.0 pointing to it; permissions are all correct and /etc/ssl/slapd.conf point to it and the CA certificate.
The client certificate is on my MacBook Pro in /etc/ssl/certs along with the CA certificate; each of which also has its hash linked to it. /etc/ssl/ldap.conf is set up properly, the permissions are correct, and the following test command ran as my user produces a successful result:
ldapsearch -v -x -H ldaps://ldap.foo.org -b "dc=foo,dc=org" -d -1
Now the problem part. I open Directory Utility; go to Services with Advanced Settings enabled. After unlocking it, I click the LDAPv3 and the pencil icon.
I hit New... in the window that pops up and use ldap.foo.org as servername, SSL box ticked. I hit Continue, and behold; nothing happens.
It is to say; Directory Utility hangs for a while; after which it goes back to the box I clicked Continue in without any error or warning popping up; but obviously hasn't advanced.
The server logs indicate my Mac had actually connected; received the server certificate; but didn't send a client certificate at which point the TLS connection got aborted for some reason and the session ended.
My Mac Console shows something even more bizare, though:
11/09/08 23:09:22 com.apple.DirectoryServices[97123] Assertion failed: (ld != NULL), function ldapsearchext, file search.c, line 76.
My suspicion is that Directory Utility can't verify the server certificate and aborts the TLS connection. I expect it also uses /etc/openldap/ldap.conf? How can I diagnose the root of this problem?
Thanks a lot for your assistance; I just can't figure this out and any hint or pointer would be greatly appreciated. It now just looks like OSX does not support a secure LDAP over SSL configuration.
Though it currently isn't set up to be that way, I'd like to have my client also provide a certificate (CN=lhunath.foo.org) and have the server validate that. For now I've got the server set to:
TLSVerifyClient never
(And of course, the client:)
TLS_REQCERT demand
Message was edited by: lhunath

By the way; about the assertion error I get in Console; here's the relevant source of ldap.c. Looks like ld is not set; probably something going wrong before that with setting up the TLS connection, perhaps? Or not?
* ldapsearchext - initiate an ldap search operation.
* Parameters:
* ld LDAP descriptor
int
ldapsearchext(
LDAP *ld,
assert( ld != NULL );

Web Service over SSL failing in BEA Workshop

I have deployed a web service on weblogic 9.2
I have enabled one-way ssl on it. got a trial ssl certificate from verisign. installed them on the keystore/truststore on the server as well as the jre (cacerts and jssecacerts truststores) being used by the client. the client is on different machine than the server.
i have developed the service through 'bea weblogic workshop 9.2' now when i try to test the service through the 'web services explorer' within bea weblogic workshop i receive the following error:
IWAB0135E An unexpected error has occurred.
IOException
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
on server:
<Jul 13, 2009 6:45:44 PM EDT> <Warning> <Security> <BEA-090485> <CERTIFICATE_UNKNOWN alert was received from yunus.l1id.local - 10.10.2.72. The peer has an unspecified issue with the certificate. SSL debug tracing should be enabled on the peer to determine what the issue is.>
if i try to access the web service (over ssl) through the browser (ie/firefox), it works fine. i have generated a proxy class to access this web service through the same bea workshop and that works fine too. certificates are identified and all. i also created a small .net (c#) application that calls this secure web service over ssl from another machine and it works fine too!
of course non-secure url for the web service is working fine in every case.
what can be the reason for this failing only in 'web services explorer' in bea workshop?
cross posted at: http://www.coderanch.com/t/453879/Web-Services/java/Web-Service-over-SSL-failing
thanks.

Hello,
I used this example, when I made my experiments with SSL and Glassfish (GF):
http://java.sun.com/developer/EJTechTips/2006/tt0527.html#1
If you have problems with GF I suggest to post a message here:
http://forums.java.net/jive/forum.jspa?forumID=56
e.g. here is one thread:
http://forums.java.net/jive/thread.jspa?threadID=59993&tstart=0
Miro.

Enable HTTP Over SSL: New documentation

Similar Messages

Maybe you are looking for